Freigeben über

Detecting BitLocker

  • Artikel

Although the most appropriate way to detect BitLocker is to use the interfaces in BitLocker’s WMI provider, specifically the "GetEncryptionMethod", But sometimes, you might wish to detect a BitLocker volume when the WMI provider is not available – such as when running a disk tool from another OS.

I stress that the "GetEncryptionMethod" should always be used if it is available. GetEncryptionMethod asks the BitLocker filter driver to report the status of the volume, and using it will make your program much more "future proof". In contrast, a program that looks at the content of the physical disk directly will require revision whenever the BitLocker disk structures change. But, if the WMI provider is not running (that is, when you are not running Windows Vista), using a method like a direct disk read is required.

Now with all these cautions aside, how can we actually detect a BitLocker-protected volume? The simple answer is that a BitLocker volume can be detected because it will have an easily recognizable BIOS Parameter Block (BPB). Note that the partition type for a BitLocker will normally be the same as that used for NTFS, which is one of the Installable File System (IFS) partition types.

BitLocker BIOS Parameter Block

A BitLocker volume has a clear-text BPB much like FAT and NTFS. The BPB is located at the first 0x54 bytes of the first sector of the volume.  A BitLocker volume has a BPB that has the following characteristics:

Offset

Size

Field

Required Value for BitLocker

0x003

8

Signature

‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘

0x00B

2

BytesPerSector

 

0x00D

1

SectorsPerCluster

One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x80

0x00E

2

ReservedClusters

0x0000

0x010

1

FatCount

0x00

0x011

2

RootEntries

0x0000

0x013

2

Sectors

0x0000

0x016

2

SectorsPerFat

0x0000

0x020

4

LargeSectors

0x00000000

0x038

8

MetadataLcn

 

Since other file systems, such as FAT, also use a BPB structure, it’s not enough to rely on the "Signature" field alone to determine that the volume is a BitLocker volume. All the fields above with a "Required Value" must be checked.

BitLocker Metadata Location

BitLocker stores multiple copies of the volume metadata, and the first copy can be located from information in the BPB. The byte offset of the first metadata location is calculated as MetadataLcn * SectorsPerCluster * BytesPerSector. The structure found at this byte offset has the following format:

Offset

Size

Field

Content

0x000

8

Signature

‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘

0x008

2

Size

Size of structure. Validation data follows this structure.

0x002

2

Version

0x0001 for current version.

0x004

 

Version specific content.

Conclusion

By examining the BPB and the BitLocker Metadata – all of which is available in plain text – it is possible to conclusively determine that the volume has been configured as a BitLocker volume and what revision of the BitLocker structures apply to the volume.

-
Jamie Hunter